Vulnerability Details : CVE-2023-40023
yaklang is a programming language designed for cybersecurity. The Yak Engine has been found to contain a local file inclusion (LFI) vulnerability. This vulnerability allows attackers to include files from the server's local file system through the web application. When exploited, this can lead to the unintended exposure of sensitive data, potential remote code execution, or other security breaches. Users utilizing versions of the Yak Engine prior to 1.2.4-sp1 are impacted. This vulnerability has been patched in version 1.2.4-sp1. Users are advised to upgrade. users unable to upgrade may avoid exposing vulnerable versions to untrusted input and to closely monitor any unexpected server behavior until they can upgrade.
Vulnerability category: File inclusionExecute codeInformation leak
Products affected by CVE-2023-40023
- cpe:2.3:a:yaklang:yaklang:1.2.0:sp6:*:*:*:*:*:*
- cpe:2.3:a:yaklang:yaklang:1.2.0:sp7:*:*:*:*:*:*
- cpe:2.3:a:yaklang:yaklang:1.2.0:sp8:*:*:*:*:*:*
- cpe:2.3:a:yaklang:yaklang:1.2.1:-:*:*:*:*:*:*
- cpe:2.3:a:yaklang:yaklang:1.2.1:sp1:*:*:*:*:*:*
- cpe:2.3:a:yaklang:yaklang:1.2.1:sp2:*:*:*:*:*:*
- cpe:2.3:a:yaklang:yaklang:1.2.1:sp3:*:*:*:*:*:*
- cpe:2.3:a:yaklang:yaklang:1.2.1:sp4:*:*:*:*:*:*
- cpe:2.3:a:yaklang:yaklang:1.2.1:sp5:*:*:*:*:*:*
- cpe:2.3:a:yaklang:yaklang:1.2.1:sp6:*:*:*:*:*:*
- cpe:2.3:a:yaklang:yaklang:1.2.1:sp7:*:*:*:*:*:*
- cpe:2.3:a:yaklang:yaklang:1.2.1:sp8:*:*:*:*:*:*
- cpe:2.3:a:yaklang:yaklang:1.2.1:sp9:*:*:*:*:*:*
- cpe:2.3:a:yaklang:yaklang:1.2.2:-:*:*:*:*:*:*
- cpe:2.3:a:yaklang:yaklang:1.2.2:sp1:*:*:*:*:*:*
- cpe:2.3:a:yaklang:yaklang:1.2.2:sp2:*:*:*:*:*:*
- cpe:2.3:a:yaklang:yaklang:1.2.2:sp3:*:*:*:*:*:*
- cpe:2.3:a:yaklang:yaklang:1.2.2:sp4:*:*:*:*:*:*
- cpe:2.3:a:yaklang:yaklang:1.2.2:sp5:*:*:*:*:*:*
- cpe:2.3:a:yaklang:yaklang:1.2.2:sp6:*:*:*:*:*:*
- cpe:2.3:a:yaklang:yaklang:1.2.2:sp7:*:*:*:*:*:*
- cpe:2.3:a:yaklang:yaklang:1.2.3:-:*:*:*:*:*:*
- cpe:2.3:a:yaklang:yaklang:1.2.3:sp1:*:*:*:*:*:*
- cpe:2.3:a:yaklang:yaklang:1.2.3:sp2:*:*:*:*:*:*
- cpe:2.3:a:yaklang:yaklang:1.2.3:sp3:*:*:*:*:*:*
- cpe:2.3:a:yaklang:yaklang:1.2.4:-:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-40023
0.34%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 72 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-40023
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2023-40023
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2023-40023
-
https://github.com/yaklang/yaklang/security/advisories/GHSA-xvhg-w6qc-m3qq
Yaklang Plugin's Fuzztag Component Allows Unauthorized Local File Reading · Advisory · yaklang/yaklang · GitHubThird Party Advisory
-
https://github.com/yaklang/yaklang/pull/296
disable default file fuzztag in fuzz.Pool by VillanCh · Pull Request #296 · yaklang/yaklang · GitHubPatch
-
https://github.com/yaklang/yaklang/pull/295
add limit for general file-fuzztag by VillanCh · Pull Request #295 · yaklang/yaklang · GitHubPatch
Jump to